dni.gov

1 IiiPromote CI andsecurity trainingand awarenessIdentify andassess risks tosensitive assetsEstablish programscounteringFIE threatsShare threat information and warnings internally and externallyIntegrate counter-FIEefforts across theorganizationDevelop andimplement mitigation strategies Countering FIE Threats: Best PracticesEffective programs to counter foreign intelligence entity (FIE) threats are focused on three overarching outcomes: 1. Identification of foreign intelligence threats and sharing of threat information2. Safeguarding of sensitive information, assets, and activities3. Prevention and detection of insider threatsThe best practices detailed in this Guide, from identifying and assessing risks to promoting training and awareness, are complementary program components that, when employed together, can effectively shield your organization from FIE National Counterintelligence and Security Center (NCSC) is charged with leading and supporting the counterintelligence (CI) and security activities of the government, the Intelligence Community, and private sector entities that are at risk of intelligence collection, penetration, or attack by foreign adversaries and malicious insiders.

2 The capabilities and activities described in this Guide are exemplars of program components delineated as requirements in numerous strategies, policies, and guidelines. This Guide is a living document and will be updated to reflect improved and innovative ways to achieve the above outcomes. In addition, organization-specific capabilities and activities may be defined and implemented to ensure unique needs are met. Finally, nothing in this document shall be construed as authorization for any organization to conduct activities not otherwise authorized under statute, executive order, or other applicable law, policy, or regulation, nor does this document obviate an organization s responsibility to conduct activities that are otherwise mandated, directed, or recommended for execution under the Programs Countering FIE ThreatsPurpose and Description: A program provides a formal organizational construct for countering FIE threats. It should be positioned so that the effort to counter threats to sensitive information and assets is given comparable priority and resources as other parts of the organization and is given consideration during activities such as budget formulation and allocation discussions, staffing determinations, strategic planning, and other leadership : heads of departments and agencies should designate a senior official within their organization who shall be responsible for countering threats from FIEs.

3 Action: Designate a senior official responsible for implementing and overseeing the program for countering threats from FIEs. Note: The designated official should have direct access to the head of the organization as well as to the organization s security, CI, acquisition/procurement, and information technology (IT) senior leadership. Additionally, the selected official should work closely with the senior official designated under the requirements of the White House Memorandum on National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs for leading efforts to counter threats to the agency from malicious : The designated senior official should lead the development of policies, procedures, or guidelines designed to implement a program within his or her organization for countering FIE threats. Action: In consultation with program managers, develop and implement policies, procedures, and guidelines to not only safeguard the organization s sensitive assets, but also mitigate vulnerabilities to any known, specific FIE threats to those assets.

4 Action: Identify resource needs, develop and justify the program s budget, and seek assistance from NCSC to provide advocacy, where necessary. The senior official should also ensure that training and professional development opportunities are made available to personnel directly responsible for CI and security program elements. Option: Organizations may establish additional requirements of their own, provided they are consistent with applicable laws, presidential directives, and other : The designated senior official should build interdisciplinary partnerships among elements of the organization, including CI, security, information assurance (IA), chief information officer (CIO), human resources (HR), and acquisition/procurement. Action: Develop relationships inside and outside the agency and communicate the importance of understanding and countering the FIE : These partnerships should result in effective sharing of information about FIE threats and organizational vulnerabilities associated with sensitive information, assets, and activities, as well as communicate the importance of countering FIE threats.

5 This will, in turn, enable the organization to leverage the appropriate capabilities to protect Practice #12 Identify and Assess Risks to Sensitive AssetsPurpose and Description: Creating an inventory of sensitive information, assets, and activities enables a department or agency to focus attention on its highest priorities and ensure all are assessed for potential vulnerabilities and FIE interest. Engaging a cross- functional team with senior-level support to perform a risk assessment of these assets will ensure that all organizational missions and interests are addressed. The risk assessment, performed periodically, is the cornerstone for all security and counter-threat activities that : The senior official, in consultation with the agency s appropriate personnel, should identify and document the agency s sensitive information, assets, and activities. Note that the collection, maintenance, and use of any personally identifiable information (PII) for this purpose should be governed by the provisions of the Privacy Act of 1974.

6 Recommendation: The senior official should then oversee a risk assessment process that includes these key steps: Action: Evaluate FIE threats to the agency s sensitive information, assets, and activities, including the agency s acquisitions. Action: Identify organizational vulnerabilities to threats from FIEs or malicious insiders, including physical vulnerabilities. Action: Assess the likelihood that the threat will compromise the agency s sensitive information, assets, and activities. Action: Determine adverse impact if assets are lost or compromised. Action: Identify appropriate mitigation measures. Action: Catalog threat data and additional analysis to further inform risk assessment efforts. Action: Integrate risk assessment processes and mitigation measures into the organization s program planning and budgeting cycle. Action: Establish mechanisms for continually updating the inventory of sensitive information, assets, and activities, and incorporating it into the organization s risk assessment : details on how to plan, organize, and execute a CI and Security Risk Assessment can be found in NCSC s Counterintelligence/Security Risk Assessment Framework for Federal Practice #2 Sensitive information, assets, and activities include the following.

7 Information classified pursuant to Executive Order 13526, Executive Order 12829, Executive Order 13549, and Executive Order 12333 Critical infrastructure, as defined in Executive Order 13636 Unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies (such information will fall under the program established under Executive Order 13556) National security systems, as defined by the Committee on National Security Systems (CNSS) in CNSSD-505 and CNSSI-4009 (while most systems falling under this definition are classified, not all are, and these must be designated and managed appropriately) Activities authorized by law or policy, as determined by departments and agencies, that would have a debilitating impact on the mission of the department or agency or on the economic or national security of the United States if compromised PII pertaining to individuals that is maintained within an agency s systems of records, pursuant to the Privacy Act and Executive Order 123333 Develop and Implement Mitigation StrategiesPurpose and Description:Protective measures and mitigation strategies include an organization s decisions or actions that safeguard its sensitive information, assets, and activities from FIE threats.

8 The measures and strategies should be commensurate with the threats to the organization and include such elements as information security measures, personnel security practices, foreign contact and visitor vetting, supply chain risk management, and prevention of unauthorized disclosures. Some of the necessary measures may require specialized training for security personnel or outreach to federal partners. In addition, this Guide references several documents featuring specific examples or guidelines that can support development of protective measures for the organization. All actions should be coordinated with the appropriate responsible internal office ( , security, CIO, IA, IT).Recommendation: The organization should implement protective measures and mitigation strategies to reduce its vulnerabilities to FIE Foreign Exposure Action: Establish a policy requiring personnel to report in advance non-official foreign travel to their security office. Action: Brief employees traveling to high- and medium-threat locations, as appropriate, in advance of the trip, and debrief them upon return.

9 For a sample reporting and debriefing guide, see the referenced Foreign Travel Reporting Form. Action: Establish policies requiring notification to security offices of all close and continuing or suspicious contact with foreign nationals by personnel with access to sensitive information, assets, and activities. Develop processes for managing notifications and response actions. For a sample foreign contact form, see the referenced Foreign Contact Form. Action: Establish and maintain a foreign contact repository. Action: Vet foreign contacts through appropriate channels to identify any affiliation with a foreign intelligence service. Action: Ensure all requests by foreign nationals to visit the organization are appropriately documented. Establish and maintain an electronic record of all : Where possible, collection of foreign travel, foreign contact, and foreign visitor notifications should be automated and retained in a common database or information system to enable trend analysis and threat Practice #34 Develop and Implement Mitigation StrategiesRecommendation: The organization should implement protective measures and mitigation strategies to reduce its vulnerabilities to FIE Information Systems Action: Implement intrusion detection systems to counter unauthorized attempts to access or obtain sensitive information on your organization s networks.

10 Action: Implement user activity monitoring capabilities, where able, in accordance with the 2014 Guide to Accompany the National Insider Threat Policy and Minimum : To create an effective, layered defense for information systems, organizations should ensure compliance with the Federal Information Security Modernization Act of 2014 (FISMA) and all National Institute of Standards and Technology (NIST) and CNSS Reporting to Mitigate Personnel Vulnerabilities Action: Establish policies requiring employees to notify security personnel of suspicious incidents involving sensitive information, assets, or activities. See the referenced Incident Response Form. Action: Evaluate personnel security information reported by employees regarding CI concerns aboutthemselves or others. Consult the Security Executive Agent National Assessment Program (SNAP) Survey for more details about designing a complete personnel security program. Consult the Security Executive Agent Directive (SEAD) 3: Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position for details about reporting requirements for relevant agency Supply Chain Vulnerabilities Action: Implement measures to mitigate vulnerabilities introduced through the organization s supply chain processes, including potential FIE access to products and services prior to acquisition, as well as vulnerabilities that emerge over the lifecycle of a product or Facilities Vulnerabilities Action: Where appropriate, implement technical surveillance countermeasures (TSCM) to safeguard sensitive information, assets, and activities.